11-30-2007, 02:42 AM
|
 |
Regular 'Geeker
Offline
|
|
Join Date: Mar 2007
Posts: 415
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
|
|
|
*Exclusive* XIP Extractor v1.2
This is a small tool that will extract the XIP from a HTC payload nb file. This is based of no2chem’s method. As of right now i have only tested it on carrier roms so please leave feedback and bugs.
Quote:
Originally Posted by no2chem
maybe I should do a little write-up on how to port xip. essentially:
don't dump with rommaster (manually extract the rom)
to do this, first nbsplit, then on payload...
run imgfsfromnb. write down the imgfs start location.
open os.nb.payload with hex editor. go to the imgfs start location, and delete to end. go to the beginning of the file, and search for FE 03 00 EA (unconditional branch to 00 03 FE), and find the second / last occurance. (this is the second xip).
delete everything from the beginning to just before the second branch.
save this as your xip.bin
open xipport. press dump xip.bin. move stuff around, checking the maps between the donor xip and your xip. when you're done, press realloc p, and write maps. if any area shows !!!, fix it. (usually, modify realaddress[r] in imageinfo.txt, where r is the xipregion).
technically, you might need to check the nk.exe pointer in S000 of nk.exe, but i think realloc p fixes that (maybe). if you're worried, from the old map of the xip (not from the donor, but your device), search for the rom_00 header, look at where it starts, check if it matches with the new map If it doesn't you'll have to do this: if the old start address is 8ABCDEF9, search S000 of nk.exe for F9 DE BC 8A (just an example), because of the endianess of arm. replace with new start address, be sure to reverse it as well.
once you're done, write xipout.bin, and write it to os.nb.payload at the right xip2 address (for the titan, its 3200000) (sleepy and not sure if i put the right amount of zeros, but the default is 3100000, so change the 1 to a 2.)
hopefully everything boots up after this. I've used this technique to change everything except nk.exe... which is device dependent, so you'll have to do other stuff...
http://www.airscanner.com/pubs/fogieDC11.pdf is a good reference for arm assembly opcodes
|
Code:
XIP Extractor v1.2
Requires .net v2
Available at the bottom of this post, and in my folder on the ftp
Version 1.2 r1
-------------
Fixed : Xipport loading bug
Version 1.2
-----------
Added : support for different xipport location
Changed : 05_OS.nb.payload is now the input file
Optimized : Fixed a double conversion to int
Version 1.1
-----------
Added : -x launches xipport (if located in the same folder) after extracting XIP
Changed : File name is now XIPExtract.exe for cli convenience
Fixed : now -2 is default
Version 1.0
-----------
Initial release
-f specifies the payload file
-o specifies the dump output file
-1 dumps XIP1
-2 dumps XIP2
Future Versions
---------------
* merge GetStartLoc.exe with the xipextract.exe
Many thanks to no2chem for his method, the original dev of viewimgfs and everyone else in the community devoting time, ideas, and effort towards XIP development!
Last edited by zeurx; 12-01-2007 at 12:13 PM.
Reason: New Version!
|